Raven is a peer-to-peer messenger powered by ATSAM, a layered security protocol that covers every path your message can take — offline mesh, bridge handoff, and online server-routed delivery. Post-quantum hybrid pairing, private peer discovery, live device verification, encrypted routing on every path, and optional Vault Mode for sensitive text messages.
Raven is powered by ATSAM, a layered security protocol that protects every path a message can travel — offline Bluetooth mesh, bridge handoff between mesh and internet, and online server-routed delivery. Each layer has a precise job, and each layer makes only the security claim it can defend.
The Double Ratchet derives a fresh encryption key for each message and erases the old one. If your phone is compromised tomorrow, yesterday's messages stay secret. Every conversation heals itself with the next handshake, what cryptographers call post-compromise security.
End-to-end encryption only works if you're talking to the right person. Raven now derives a 60-digit Safety Number from your two identity keys, read it aloud, scan the QR, or compare in person. If the numbers match, no man-in-the-middle is possible, even if the carrier, the ISP, and our own server all collude.
Every message, post, and reaction is sealed on your device with AES-256-GCM keys derived from the X3DH handshake. Whatever path the envelope takes, server, peer, or 5-hop bridge, only ciphertext travels.
When the network's gone, Raven hands the same encrypted envelope to a peer-to-peer BLE mesh. Relay devices forward bytes they can't read, can't modify, and can't impersonate, zero-knowledge by design.
Identity, signing, and ratchet keys live in iOS Keychain, hardware-bound to your device. They don't appear in iCloud backups, can't be cloned with the rest of your phone's data, and we cannot extract them even under legal order.
No phone numbers. No address books uploaded. No contact graph on the server. Push notifications carry no message content, only a wake-up. The local database is sealed with SQLCipher (AES-256).
DMs, groups, voice rooms, posts, and geo-pinned moments. All wrapped in the same end-to-end encrypted envelope, and all available when you have no signal.
Bluetooth Low Energy carries encrypted chats, posts, and receipts across up to 5+ hops. Neighbours become the network, no internet, no cell, no problem.
Hide chats, photos, and files behind Face ID. Vaulted content is double-encrypted with a key that never touches the network, even App Lock alone won't unseal it.
Live voice rooms with low-latency SFU routing. Concert mode auto-discovers attendees in a venue and spins up a private channel.
An algorithm-free social feed that syncs over the mesh. Posts, comments, mentions all replicate offline and reconcile when peers reconnect.
Pin photos and short clips to a real-world location. Discover what's around you on a private, expiring map, never aggregated, never sold.
Smart-reply suggestions and Apple Translation run entirely on the device using Foundation Models. No prompts, transcripts, or contact data ever leave the phone.
A serious messenger needs serious accountability. Below is the honest scoreboard, including the items every security reviewer asks about, with the version they ship in.
Forward secrecy and post-compromise security on every 1:1 conversation, on internet AND mesh. The leak of any one key never reveals past or future messages.
SHA-512-derived 60-digit fingerprints, comparable in person, by voice, or QR. A simple, in-person way to detect machine-in-the-middle attacks before they happen.
Identity, signing, ratchet keys never leave the device. No iCloud backup. Court-resistant.
Authenticated encryption + sender authentication on every envelope. Replay nonce + sliding-window dedup on every relay.
Inner ChaCha20-Poly1305 wrapped in outer AES-256-GCM with a key-committing HMAC tag, both ciphers must fail before plaintext leaks. (Inner/outer keys are independent; commitment defeats Salamander-class multi-key attacks.)
Zero-knowledge password authentication. The server never receives the password, not even hashed. A full DB breach reveals zero usable credentials.
Hides sender identity from the relay layer. The server learns the message exists and where it's going, never who sent it. X25519 ephemeral + AES-GCM seals the inner envelope to the recipient's identity key.
Opt-in passphrase-sealed backup (PBKDF2-SHA256 600 000 iterations + AES-256-GCM) of identity + ratchet state. Lose your phone, keep your messages, without ever shipping the recovery passphrase to our server.
Your identity keypair rotates automatically every 180 days. Each transition certificate is signed by BOTH the old AND the new key, so peers who only see the new key can still prove provenance back to the old one. The certificate chain is locally verifiable forward and backward.
Anyone can rebuild the App Store binary from public sources and verify it byte-for-byte against the published manifest (source SHA-256 + Mach-O SHA-256 + bundle SHA-256). The build that runs on your phone is the build we publish.
Sensitive byte buffers (chain keys, ratchet roots, in-flight plaintext) live in SecretKey, mlock'd so the OS can't write them to swap, then triple-zeroised on deinit (0x00 / 0xFF / 0x00) to defeat optimiser-eliding writes.
An online RAVEN device can opt in to act as a cipher-text relay for nearby offline neighbours over BLE. Only the recipient hint and an opaque ciphertext blob cross the gateway, never the plaintext or the original sender. Token-bucket rate limiting + replay-nonce dedup; deactivates automatically when the phone gets hot, low on battery, or backgrounded.
Hybrid signing & key agreement layered on top of the current Ed25519 / X25519 stack, both must fall before an attacker reads anything. Rolls in once Apple ships ML-KEM in CryptoKit (today we'd need a third-party C lib, we won't take that dependency).
Shamir + Feldman VSS so a passphrase-loss user can recover with three trusted contacts instead of being permanently locked out, no copy of the key on our servers.
Today the mesh-to-internet gateway sees the recipient hint. Sphinx-style layered encryption hides who-asked-whom-to-relay-what from the gateway and from any single mesh hop.
Per-group symmetric keys give us today's correctness; Messaging Layer Security gives us proven-secure, scalable group ratcheting. Migration target: v1.8.
Cure53 / Trail of Bits / NCC Group-tier engagement against the cryptographic core. Full report published in the open. "Designed to be reviewed" is not the same as "audited", we know.
The X3DH / Double Ratchet implementation, the mesh envelope, the BLE protocol layer, and the new desktop-login bridge, released under an audit-friendly license. Application code follows in stages.
Traffic-analysis is a real attack on BLE mesh. Constant-rate padding + decoy envelopes at the radio layer to flatten the "who-talks-to-whom" pattern.
Domain fronting + pluggable transports (obfs4 / Snowflake-style) so Raven keeps connecting in Iran, China, Russia, and any future filtered network, without leaking that you're using Raven.
App-layer authentication already neutralises pairing-level attacks (we sign every envelope; relays can't downgrade us). Protocol-level mitigations (encrypted pairing, MITM-resistant GATT verification) tracked publicly in the security audit.
Trust in a messenger is earned by what you ship and what you admit. So, plainly: we are not yet open-source, we have not yet been audited, and our group protocol is not yet MLS. Each of those has a target version above and a public commitment. If we miss a date, we'll say why. We'd rather you believe a roadmap we deliver than a marketing claim we can't back up.
The same Swift codebase ships natively on both, no Electron, no shim, full background BLE on each platform.
Swift + SwiftUI, Liquid Glass UI, CoreBluetooth peripheral and central running concurrently for full mesh participation in foreground and background.
NavigationSplitView shell with a capsule sidebar, ⌘-shortcuts everywhere, and a LaunchAgent companion that keeps mesh delivery alive while the window is closed.
Every message, whether DM, post, or live audio control, is wrapped in the same signed envelope. The router picks the cheapest path that's actually working.
Real-time delivery over WebSocket against a Python FastAPI service on Google Cloud Run. Push fan-out via APNs for offline recipients.
Peer-to-peer BLE GATT writes between devices that see each other. Multipeer Connectivity adds a Wi-Fi/AWDL fast lane in the same room.
Store-and-forward across multi-hop relays. A neighbour holds your encrypted envelope until it meets a node that can finish delivery, back online or in range of the recipient.
Crypto primitives, mesh routing, and the message envelope format are documented in full. Researchers, security teams, and serious users can request review access to the security-critical sources, we'd rather you check than take our word for it.